Fix OAuth secrets cleanup on server deletion and clear redirectUri as transient field

cursoragent · cursoragent · commit dcc2952495e8 · 2026-04-28T20:13:29.000Z
- Call deleteMcpServerSecret in removeMcpServer to clean up OAuth
  secrets (client_id, client_secret, refresh_token, PKCE state) from
  .mcp-secrets.json when a server is deleted
- Add redirectUri to the fields cleared by clearTransientOAuthFields,
  matching the documented contract for transient fields
diff --git a/apps/web/lib/mcp-secrets.ts b/apps/web/lib/mcp-secrets.ts
@@ -184,6 +184,7 @@ export function clearTransientOAuthFields(key: string): void {
     ...current,
     codeVerifier: null,
     oauthState: null,
+    redirectUri: null,
   };
   writeAll(all);
 }
diff --git a/apps/web/lib/mcp-servers.ts b/apps/web/lib/mcp-servers.ts
@@ -1,5 +1,6 @@
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
+import { deleteMcpServerSecret } from "@/lib/mcp-secrets";
 import { resolveOpenClawStateDir } from "@/lib/workspace";
 
 type UnknownRecord = Record<string, unknown>;
@@ -470,4 +471,6 @@ export function removeMcpServer(key: string): void {
     delete states[normalizedKey];
     writeStatesSidecar(states);
   }
+
+  deleteMcpServerSecret(normalizedKey);
 }

Original file line number	Diff line number	Diff line change
`@@ -184,6 +184,7 @@ export function clearTransientOAuthFields(key: string): void {`
`184`	`184`	`...current,`
`185`	`185`	`codeVerifier: null,`
`186`	`186`	`oauthState: null,`
	`187`	`+ redirectUri: null,`
`187`	`188`	`};`
`188`	`189`	`writeAll(all);`
`189`	`190`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";`
`2`	`2`	`import { join } from "node:path";`
	`3`	`+import { deleteMcpServerSecret } from "@/lib/mcp-secrets";`
`3`	`4`	`import { resolveOpenClawStateDir } from "@/lib/workspace";`
`4`	`5`
`5`	`6`	`type UnknownRecord = Record<string, unknown>;`
`@@ -470,4 +471,6 @@ export function removeMcpServer(key: string): void {`
`470`	`471`	`delete states[normalizedKey];`
`471`	`472`	`writeStatesSidecar(states);`
`472`	`473`	`}`
	`474`	`+`
	`475`	`+ deleteMcpServerSecret(normalizedKey);`
`473`	`476`	`}`